topic Re: QOS for multiple user addresses in General Topics

QOS for multiple user addresses

AKabary — Thu, 28 Jun 2018 12:16:08 GMT

i need to create a qos policy to limit downloads and uploads of user addresses objects created on palo alto device

i know that i will ceate a qos profile for down and up , choose a class , priority and type guaranteed and max BW

then create a qos policy and qos interface

1-regarding the qos policy , do i need a policy for upload and policy for download??

2-regarding the qos egress interface and source subnet , will it difer between the upload and the download

3-if i make a download policy and apply it on say 10 user addresses , will that BW be given to the whole group f users or for each user individually

\thanks in advance

Re: QOS for multiple user addresses

BatD — Mon, 02 Jul 2018 06:19:01 GMT

@AKabary you are right, you will need a QoS profile and assign it to the Egress interface. Broadly speaking, you can have up to 8 Classes for traffic type. So lets say that you will create Class8 restricting downloads to particular value. The QoS policy can match traffic on specified criteria, but as an action you can only choose 1 of the classes or assign DSCP/ToS to be processed by another device.

So the answers will be:

I think you need to clarify what do you mean by upload and download. You need to really follow the Palo Alto policy logic. For example if user initiates a session to dropbox your QoS policy will be matching on source user, application Dropbox and action assign to class, then the policy will match this session regardless if the user is uploading or downloading files. Bandwidth restrictions will, however be applied only on the egress interface. So if you have restrictions on the external interface, but not on the internal, the policy will be the same, but only upload will have its bandwidth restricted.
The egress interface will differ for download and upload. Regarding source subnet, if you mean in policy, the logic is based on you policy and the type of traffic you need to match. If you are referring to “Source Subnet” configured under “QoS Interface”, then it will differ.
The policy is not relevant, but the action, which for example can be “Class 8”. You can have different conditions assigning traffic to Class 8 and anything assigned to Class 8 will share the Class 8 configured limit per egress interface.

QoS on Palo Alto is not as granular as some routers from other vendors and it has its limitations. So depending on how advanced you QoS set up need to be, you may need to consider offloading the functionality to another device.

Re: QOS for multiple user addresses

AKabary — Fri, 29 Jun 2018 07:36:18 GMT

Thank u
So , the policy can be applied to only obe phy interface
So by your example if i want to restrict download and upload speed

I need to create 2 qos profiles with 2 classes
and create 2 policies ,so what will he egress interface be for upload and downoad

Also in the policy for downoad ,the source and destination zones are blurry to me

Re: QOS for multiple user addresses

BatD — Fri, 29 Jun 2018 07:52:46 GMT

You are mixing the two concepts. Polcies match on sessions, download and upload only realte to in and out interface.

Presuming that the discussion is around your internal users. Your Upload QoS profile will apply to your external interface. Download will be internal.

If you want to apply the restrictions to user web traffic, in your case the policies will probably be always from trusted to untrusted zone assigning the traffic to a class.

Re: QOS for multiple user addresses

AKabary — Fri, 29 Jun 2018 08:04:56 GMT

Yes the interface is assigned a profile which is assigned a class

Now i will have 2 interfaces ext for upload traffic with its class and profile

Int for download traffic with its class and profile

Now i will create two policies or one policy ?
In the policy options u select the class
So i think i create 2 policies?

Re: QOS for multiple user addresses

AKabary — Sun, 01 Jul 2018 12:20:42 GMT

if iam going to restrict upload and download

i will create 2 qos profiles and assign to 2 classes

then add 2 physical interfaces , one for each direction (download and upload) and add the qos profile here

now, in the qos policy section , i will create 1 policy or two?
if 2 polcies , one fron trust to untrust and the other from untrust to trust // which one to add the class of upload and which one to add the class of download

thanks in advance

Re: QOS for multiple user addresses

Remo — Sun, 01 Jul 2018 17:50:46 GMT

@AKabary

You only need one QoS policy. This one policy will assign client-to-server and server-to-client traffic to the specified class. And based on this class you can then specify the bandwith/priority for upload and download seperately as already mentionned and explained by @BatD

Re: QOS for multiple user addresses

AKabary — Sun, 01 Jul 2018 20:09:33 GMT

But i created 2 classes for 2 qos profiles
One for upload and one for download

So if it is one qos policy , then which class should i add

Re: QOS for multiple user addresses

fjwcash — Thu, 05 Jul 2018 23:07:57 GMT

You only need one QoS Profile. In that profile, you specify your various classes with limits to bandwidth based on the class (lower numbered classes have higher priority). Or, you just define the classes with priority levels and just limit the total bandwidth to the Profile.

Then you create as many QoS Policies as you need to separate your traffic into the classes.

The Policies separate the traffic into the various classes. The Profile determines what those classes mean and how the traffic is handled.